CN111582496A - Safe and efficient deep learning model prediction system and method based on SGX - Google Patents

Safe and efficient deep learning model prediction system and method based on SGX Download PDF

Info

Publication number
CN111582496A
CN111582496A CN202010338636.2A CN202010338636A CN111582496A CN 111582496 A CN111582496 A CN 111582496A CN 202010338636 A CN202010338636 A CN 202010338636A CN 111582496 A CN111582496 A CN 111582496A
Authority
CN
China
Prior art keywords
model
deep learning
data
sgx
server module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010338636.2A
Other languages
Chinese (zh)
Other versions
CN111582496B (en
Inventor
翁健
黄宏伟
杨雅希
罗伟其
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jinan University
Original Assignee
Jinan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jinan University filed Critical Jinan University
Priority to CN202010338636.2A priority Critical patent/CN111582496B/en
Publication of CN111582496A publication Critical patent/CN111582496A/en
Application granted granted Critical
Publication of CN111582496B publication Critical patent/CN111582496B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/547Remote procedure calls [RPC]; Web services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Medical Informatics (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Mathematical Physics (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a safe and efficient deep learning model prediction method based on SGX.S 1, a model provider terminal uploads a deep learning model through a model import module, and the model import module converts deep learning models with different formats into models which can be executed in a deep learning calculation frame according to the deep learning calculation frame in the SGX; s2, carrying out key agreement between the model user terminal and an RPC server module in the SGX to obtain a communication key, wherein the communication key is used for encrypting data to be predicted provided by the model user terminal and a prediction result of a deep learning model in the SGX; and S3, the model user terminal signs and encrypts the data to be predicted by using the communication key and decrypts and verifies the prediction result.

Description

Safe and efficient deep learning model prediction system and method based on SGX
Technical Field
The invention relates to the technical field of machine learning safety, in particular to a safe and efficient deep learning model prediction system and method based on SGX.
Background
Machine learning, particularly deep learning, is a representative of the field of artificial intelligence, and exhibits excellent performance in fields including image recognition and speech translation, and thus is widely used in related application scenarios to solve a series of practical problems including authentication and gait recognition.
However, the deep learning model faces various security problems in the process of deployment and use, and the security problems exist between the deep learning model and the user and between the user and a server where the deep learning model is located. For example, when data transmission is performed between a user and a model, a third party may eavesdrop on the data, thereby causing sensitive information leakage; or data is tampered, so that computing resources are wasted; in addition, as the server where the deep learning model is located may have malicious behaviors, sensitive data transmitted to the server by a user may be directly stolen and tampered by the malicious server; on the other hand, the model provider also wants to protect the trained model itself from exposing information related to the model, such as parameters, structures, corresponding training data sets, etc., to the outside during the prediction process. For example, there is a method of inferring an attack to members of model training, and whether an input sample of an attacker model is input to training data of the model can be inferred. And the activation function output and the loss function value, etc. of the middle layer of the model can be utilized by a malicious server to launch the attack. These security issues all present unpredictable risks to the model user terminal and the model provider.
The introduction of SGX (Software Guard Extensions) in deep learning provides a solution to the above-mentioned problem. Tope et al propose a prediction process to accomplish deep learning in SGX, but this approach does not consider data security between the user and the machine learning model; lucjan et al propose a method to accomplish model prediction in SGX, but this solution is to run the model in a user-side SGX environment without using the computing resources of the server. This, in addition to idling the computing resources of the server, also increases the communication cost between the client and the server. Meanwhile, all the schemes only support the model to enable the CPU to complete the prediction process, and the use of the GPU is not considered, so that the efficiency is lower than that of a conventional deep learning model operation method.
Therefore, the industry is urgently required to develop a safe and efficient deep learning model prediction method capable of ensuring the confidentiality and the integrity of data and a model in the operation process of the model.
Disclosure of Invention
The invention aims to overcome the defects in the prior art and provides a safe and efficient deep learning model prediction system and method based on SGX, which can ensure the confidentiality and the integrity of data and a model in the running process of the model.
The purpose of the invention is realized by the following technical scheme:
a safe and efficient deep learning model prediction system based on SGX comprises: a model provider terminal, a model user terminal and a server; the server comprises a model importing module, a data encryption module, an RPC (remote procedure call) server module and a GPU (Graphics Processing Unit) accelerating module; the model provider terminal is used for sending the deep learning models with different formats to the model import module; the model user terminal is used for agreeing a key with the RPC server module, signing and encrypting data to be predicted according to the agreed key, and sending the encrypted data to be predicted to the RPC server module; the model import module is used for converting deep learning models with different formats uploaded by a model provider terminal into models capable of running on a deep learning calculation frame of the RPC server module according to a deep learning execution frame in the SGX; the data encryption module is used for decrypting encrypted data transmitted to the SGX from the outside and encrypting data output by the SGX from the outside; the RPC server module is positioned in the SGX and used for loading the model file obtained by the conversion of the model import module, sending data input by the user to the deep learning model to obtain a prediction result and returning the prediction result to the user; and the GPU acceleration module is used for finishing linear operation of the deep learning model prediction process.
A safe and efficient deep learning model prediction method based on SGX comprises the following steps:
s1, uploading the deep learning model by the model provider terminal through the model import module, and converting the deep learning models with different formats into models which can be executed in the deep learning calculation framework by the model import module according to the deep learning calculation framework in the SGX;
s2, carrying out key agreement between the model user terminal and an RPC server module in the SGX to obtain a communication key, wherein the communication key is used for encrypting data to be predicted provided by the model user terminal and a prediction result of a deep learning model in the SGX;
s3, the model user terminal signs and encrypts data to be predicted by using the communication key, and then sends the encrypted data to the RPC server module;
s4, the RPC server module decrypts the encrypted data by using the communication key to obtain plaintext data, and then verifies the signature; if the verification is passed, the plaintext data is input into the deep learning model;
s6, the GPU acceleration module receives the data which is sent by the RPC server module and added with the mask, and after the data is subjected to linear operation, the GPU acceleration module returns the data to the RPC server module; the RPC server module removes masks from the data, sends the data to the deep learning model, performs the next operation, and repeats the step S6 until the model prediction is finished;
and S7, the RPC server module signs the prediction result, encrypts the prediction result by using the communication key, returns the encrypted result to the model user terminal, and decrypts the encrypted result and verifies the signature by using the communication key by the model user terminal to obtain the prediction result.
Preferably, step S1 includes:
s101, uploading the deep learning model m to a server by a model provider terminal;
s102, the server converts the deep learning model m into a deep learning model m' supported by a deep learning calculation framework in the SGX by using a model import module;
s103, the server places the deep learning model m' in a deep learning model library PoolmodelAnd updating the model index of the deep learning model library.
Preferably, step S2 includes:
s201, RPC server module determines prime number p and primitive root g of the prime number, and uses public key PK of model user terminalaEncrypting the prime number p and the primitive root g, and sending the encrypted prime number and the encrypted primitive root to a model user terminal;
s202, after the model user terminal uses the private key to decrypt and obtain the prime number p and the primitive root g, the random number r is generated1The random number satisfies r is not less than 11P-1 or less, and calculating
Figure BDA0002467671900000041
Then will be
Figure BDA0002467671900000042
Sending to an RPC server module;
s203, the RPC server module generates the random number r by itself2The random number satisfies 1 ≦ r2P-1 and calculating
Figure BDA0002467671900000043
Then will be
Figure BDA0002467671900000044
Sending to a model user terminal;
s204, model user terminal calculation
Figure BDA0002467671900000045
RPC server module computing
Figure BDA0002467671900000046
If Ka=KbThen K is addedaAnd KbRespectively as communication key between model user terminal and RPC server module。
Preferably, step S3 includes:
s301, model user terminal uses private key SKaData x to be predicted and model label tmSigning to obtain signature signxI.e. by
Figure BDA0002467671900000047
S302, model user terminal utilizes communication key KaSigning and encrypting data to be predicted to obtain a ciphertext c, namely
Figure BDA0002467671900000048
And sends the ciphertext to the RPC server module.
Preferably, step S4 includes:
s401, RPC server module uses communication key KbDecrypt the ciphertext c, i.e.
Figure BDA0002467671900000051
If the decryption is successful, go to step S402; otherwise, returning error information;
s402, the RPC server module obtains a decryption result (x | | t)m||signx) And use the public key PKaVerifying signature signx(ii) a If the verification is passed, executing step S403; otherwise, returning error information;
s403, RPC server module labels t according to the modelmAnd indexing a deep learning model m ' from a deep learning model library, loading the deep learning model m ' into a GPU video memory and an SGX memory, and taking a decryption result x as the input of the deep learning model m '.
Preferably, the steps S5 and S6 include:
s601, RPC server module in SGX first from the domain
Figure BDA0002467671900000052
In the selection of a random number riAnd according to the weight matrix WiAnd bias biCalculating a random number riCorresponding linear meterCalculated result uiI.e. ui=Wiri,uiAs a mask; wherein for the ith layer linear operation needing to be outsourced to GPU operation, the weight is mi×niMatrix W ofiOffset is bi
S602, RPC server module is data x needing linear calculationiPlus a mask uiTo obtain
Figure BDA0002467671900000053
Namely, it is
Figure BDA0002467671900000054
And will be
Figure BDA0002467671900000055
Sending the data to a GPU acceleration module;
s603, GPU acceleration module pair
Figure BDA0002467671900000056
Perform linear operations, i.e.
Figure BDA0002467671900000057
And will be
Figure BDA0002467671900000058
Sending to an RPC server module;
s604, RPC server module will
Figure BDA0002467671900000059
Subtracting the mask uiObtaining a calculation result yiI.e. yi=Wixi+biThe deep learning model will use yiContinuing to perform the next operation; steps S601 to S604 are repeated until the deep learning model prediction process ends.
Preferably, step S7 includes:
s701, RPC server module utilizes private key SKbSigning the prediction result p to obtain a signature signpI.e. by
Figure BDA00024676719000000510
S702, RPC server module utilizes communication key KbFor the predicted result p and the signature signpEncrypting to obtain ciphertext cpI.e. by
Figure BDA0002467671900000061
And c ispSending the data to a model user terminal;
s703, model user terminal uses communication key KaFor ciphertext cpDecrypting to obtain (p | | | signp) Public key PK using RPC server modulebVerifying signature signpAnd ensuring the integrity of the result, and if the verification is successful, indicating that the prediction result is correct.
Compared with the prior art, the invention has the following advantages:
(1) according to the invention, by means of Intel SGX, the deep learning model is operated based on the SGX, so that the confidentiality and the integrity of data in the operation process of the model are ensured, and the confidentiality and the integrity of the model can also be ensured.
(2) The invention signs and encrypts the data between the user and the deep learning, and ensures the confidentiality and the integrity of the data in the transmission process.
(3) The invention sets the model conversion module, so that the deep learning models of different frames can complete prediction under a unified computing frame.
(4) The method utilizes the computing power of the GPU, and accelerates the prediction process of the model by outsourcing the linear operation of the SGX deep learning model to the GPU.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the invention and, together with the description, serve to explain the invention and not to limit the invention. In the drawings:
fig. 1 is a schematic structural diagram of a secure and efficient deep learning model prediction system based on SGX according to the present invention.
FIG. 2 is a schematic diagram of the SGX of the present invention.
As shown in the figure, the SGX Enclave container is located in a processor reserved memory prm (processor reserved memory), and stores protected data and code, an application program outside the SGX Enclave container cannot directly access data inside the SGX Enclave container, and the application program and the SGX Enclave container can only interact through a predetermined interface of the SGX Enclave container. In addition, system level code also has no access to data and code in the SGX Enclave container. The SGX Enclave can thus guarantee data and code confidentiality and integrity in the system.
Detailed Description
The invention is further illustrated by the following figures and examples.
Referring to fig. 1-2, a safe and efficient deep learning model prediction system based on SGX includes: a model provider terminal, a model user terminal and a server; the server comprises a model import module, a data encryption module, an RPC (remote procedure call) server module and a GPU acceleration module; the model provider terminal is used for sending the deep learning models with different formats to the model import module; the model user terminal is used for agreeing a key with the RPC server module, signing and encrypting data to be predicted according to the agreed key, and sending the encrypted data to be predicted to the RPC server module; the model import module is used for converting deep learning models with different formats uploaded by a model provider terminal into models capable of running on a deep learning calculation frame of the RPC server module according to a deep learning execution frame in the SGX; the data encryption module is used for decrypting encrypted data transmitted to the SGX from the outside and encrypting data output by the SGX from the outside; the RPC server module is a deep learning model RPC server module positioned in the SGX and used for loading the model file obtained by the conversion of the model import module, sending the data input by the user to the deep learning model to obtain a prediction result and returning the prediction result to the user; and the GPU acceleration module is used for finishing linear operation of the deep learning model prediction process.
Wherein, the server is a private server of the model provider, which is a computer physically; the computer can construct SGX Enclave, which is referred to by SGX, and the SGX runs an RPC server module inside, wherein the RPC server module is a software program.
The data encryption module is responsible for encrypting communication data between the server and the model user terminal, and an encryption key is maintained by the SGX, so that the user input data and the model output data are signed and encrypted, and sensitive information leakage is avoided. An RPC (remote Procedure call) server module located inside the SGX is responsible for loading a converted deep learning model, ensuring confidentiality and integrity of the deep learning model in the operation process, decrypting and verifying signature on data of a user, signing and encrypting a prediction result of the deep learning model, and simultaneously providing an interface for interacting with the deep learning model externally, so that the deep learning model in the SGX can conveniently interact data with the outside; the GPU acceleration module is used for completing linear operation of the deep learning model prediction process, so that the whole prediction process of the model is accelerated. And the confidentiality and integrity of data between the GPU acceleration module and an RPC server in the SGX are ensured by a cryptographic method. The invention not only protects the confidentiality and the integrity of data and the model in the running process of the model, but also protects the confidentiality and the integrity of communication data between a user and a deep learning model.
The safe and efficient deep learning model prediction method based on the SGX is suitable for the safe and efficient deep learning model prediction system based on the SGX, and comprises the following steps:
s1, uploading the deep learning model by the model provider terminal through the model import module, and converting the deep learning models with different formats into models which can be executed in the deep learning calculation framework by the model import module according to the deep learning calculation framework in the SGX; specifically, step S1 includes:
s101, uploading the deep learning model m to a server by a model provider terminal;
s102, the server converts the deep learning model m into a deep learning model m' supported by a deep learning calculation framework in the SGX by using a model import module;
s103, the server places the deep learning model m' in a deep learning model library PoolmodelAnd updating the model index of the deep learning model library.
S2, carrying out key agreement between the model user terminal and an RPC server module in the SGX to obtain a communication key, wherein the communication key is used for encrypting data to be predicted provided by the model user terminal and a prediction result of a deep learning model in the SGX; specifically, step S2 includes:
s201, RPC server module determines prime number p and primitive root g of the prime number, and uses public key PK of model user terminalaEncrypting the prime number p and the primitive root g, and sending the encrypted prime number p and the encrypted primitive root g to a model user terminal; and the RPC server module locally runs a prime number generation algorithm to generate a prime number p. There is a theorem in the theory of numbers: assuming p is an odd prime number, the primitive root modulo p exists. In this case, the primitive root g of p can be directly obtained by using the primitive root solving algorithm. The public key of the model user terminal is disclosed to the outside, and the RPC server module directly asks for the public key.
S202, after the model user terminal uses the private key to decrypt and obtain the prime number p and the primitive root g, the random number r is generated1The random number satisfies r is not less than 11P-1 or less, and calculating
Figure BDA0002467671900000091
Then will be
Figure BDA0002467671900000092
Sending to an RPC server module; the model user terminal has its own private key, and for data encrypted by its own public key, it can decrypt it using its own private key.
S203, the RPC server module generates the random number r by itself2The random number satisfies 1 ≦ r2P-1 and calculating
Figure BDA0002467671900000093
Then will be
Figure BDA0002467671900000094
Is sent to the dieA type user terminal;
s204, model user terminal calculation
Figure BDA0002467671900000095
RPC server module computing
Figure BDA0002467671900000096
If Ka=KbThen K is addedaAnd KbRespectively as a communication key between the model user terminal and the RPC server module.
Wherein, Mod is a modulus operation,
Figure BDA0002467671900000097
variable representation generation of communication key KbAs a result of the intermediate results in the process,
Figure BDA0002467671900000098
variable representation generation of communication key KaIntermediate results in the process.
Figure BDA0002467671900000099
Where g is the generator within the group, mod is the modulo operation, r1Is a random number.
S3, the model user terminal signs and encrypts the data to be predicted by using the communication key, and then sends the encrypted data to the RPC server module, wherein the step S3 specifically comprises the following steps:
s301, model user terminal uses private key SKaData x to be predicted and model label tmSigning to obtain signature signxI.e. by
Figure BDA00024676719000000910
S302, model user terminal utilizes communication key KaSigning and encrypting data to be predicted to obtain a ciphertext c, namely
Figure BDA0002467671900000101
And sends the ciphertext to the RPC server module.
S4, the RPC server module decrypts the encrypted data by using the communication key to obtain plaintext data, and then verifies the signature; if the verification is passed, the plaintext data is input into the deep learning model; specifically, step S4 includes:
s401, RPC server module uses communication key KbDecrypt the ciphertext c, i.e.
Figure BDA0002467671900000102
If the decryption is successful, go to step S402; otherwise, returning error information;
s402, the RPC server module obtains a decryption result (x | | t)m||signx) (plaintext data) and uses the public key PKaVerifying signature signx(ii) a If the verification is passed, executing step S403; otherwise, returning error information;
s403, RPC server module labels t according to the modelmAnd indexing a deep learning model m ' from a deep learning model library, loading the deep learning model m ' into a GPU video memory and an SGX memory, and taking a decryption result x as the input of the deep learning model m '. Wherein, tmIs used to index the model. signxIt is a signature for verification.
S6, the GPU acceleration module receives the data which is sent by the RPC server module and added with the mask, and after the data is subjected to linear operation, the GPU acceleration module returns the data to the RPC server module; the RPC server module removes masks from the data, sends the data to the deep learning model, performs the next operation, and repeats the step S6 until the model prediction is finished; specifically, steps S5 and S6 include:
s601, RPC server module in SGX first from the domain
Figure BDA0002467671900000103
In the selection of a random number riAnd according to the weight matrix WiAnd bias biCalculating a random number riCorresponding linear calculation result uiI.e. ui=Wiri,uiAs a mask; wherein for needs other thanThe ith layer of linear operation wrapped to GPU operation with weight of mi×niMatrix W ofiOffset is bi
S602, RPC server module is data (intermediate result) x which needs to be linearly calculatediPlus a mask uiTo obtain
Figure BDA0002467671900000111
Namely, it is
Figure BDA0002467671900000112
And will be
Figure BDA0002467671900000113
Sending the data to a GPU acceleration module;
s603, GPU acceleration module pair
Figure BDA0002467671900000114
Perform linear operations, i.e.
Figure BDA0002467671900000115
And will be
Figure BDA0002467671900000116
Sending to an RPC server module;
s604, RPC server module will
Figure BDA0002467671900000117
Subtracting the mask uiObtaining a calculation result yiI.e. yi=Wixi+biThe deep learning model will use yiContinuing to perform the next operation; steps S601 to S604 are repeated until the deep learning model prediction process ends.
And S7, the RPC server module signs the prediction result, encrypts the prediction result by using the communication key, returns the encrypted result to the model user terminal, and decrypts the encrypted result and verifies the signature by using the communication key by the model user terminal to obtain the prediction result. Specifically, step S7 includes:
S701、RPC server module utilizes private key SKbSigning the prediction result p to obtain a signature signpI.e. by
Figure BDA0002467671900000118
S702, RPC server module utilizes communication key KbFor the predicted result p and the signature signpEncrypting to obtain ciphertext cpI.e. cp=EncKb(p||signp) And c ispSending the data to a model user terminal;
s703, model user terminal uses communication key KaFor ciphertext cpDecrypting to obtain (p | | | signp) Public key PK using RPC server modulebVerifying signature signpAnd ensuring the integrity of the result, and if the verification is successful, indicating that the prediction result is correct.
The above-mentioned embodiments are preferred embodiments of the present invention, and the present invention is not limited thereto, and any other modifications or equivalent substitutions that do not depart from the technical spirit of the present invention are included in the scope of the present invention.

Claims (8)

1. A safe and efficient deep learning model prediction system based on SGX is characterized by comprising: a model provider terminal, a model user terminal and a server; the server comprises a model import module, a data encryption module, an RPC server module and a GPU acceleration module;
the model provider terminal is used for sending the deep learning models with different formats to the model import module;
the model user terminal is used for agreeing a key with the RPC server module, signing and encrypting data to be predicted according to the agreed key, and sending the encrypted data to be predicted to the RPC server module;
the model import module is used for converting deep learning models with different formats uploaded by a model provider terminal into models capable of running on a deep learning calculation frame of the RPC server module according to a deep learning execution frame in the SGX;
the data encryption module is used for decrypting encrypted data transmitted to the SGX from the outside and encrypting data output by the SGX from the outside;
the RPC server module is a deep learning model RPC server module positioned in the SGX and used for loading the model file obtained by the conversion of the model import module, sending the data input by the user to the deep learning model to obtain a prediction result and returning the prediction result to the user;
and the GPU acceleration module is used for finishing linear operation of the deep learning model prediction process.
2. A safe and efficient deep learning model prediction method based on SGX is characterized by comprising the following steps:
s1, uploading the deep learning model by the model provider terminal through the model import module, and converting the deep learning models with different formats into models which can be executed in the deep learning calculation framework by the model import module according to the deep learning calculation framework in the SGX;
s2, carrying out key agreement between the model user terminal and an RPC server module in the SGX to obtain a communication key, wherein the communication key is used for encrypting data to be predicted provided by the model user terminal and a prediction result of a deep learning model in the SGX;
s3, the model user terminal signs and encrypts data to be predicted by using the communication key, and then sends the encrypted data to the RPC server module;
s4, the RPC server module decrypts the encrypted data by using the communication key to obtain plaintext data, and then verifies the signature; if the verification is passed, the plaintext data is input into the deep learning model;
s5, performing layer-by-layer calculation on the plaintext data in the deep learning model; when the deep learning model needs to perform linear operation on data, the data is taken out by the RPC server module, and a mask is added;
s6, the GPU acceleration module receives the data which is sent by the RPC server module and added with the mask, and after the data is subjected to linear operation, the GPU acceleration module returns the data to the RPC server module; the RPC server module removes masks from the data, sends the data to the deep learning model, performs the next operation, and repeats the step S6 until the model prediction is finished;
and S7, the RPC server module signs the prediction result, encrypts the prediction result by using the communication key, returns the encrypted result to the model user terminal, and decrypts the encrypted result and verifies the signature by using the communication key by the model user terminal to obtain the prediction result.
3. The SGX-based safe and efficient deep learning model prediction method according to claim 2, wherein the step S1 comprises:
s101, uploading the deep learning model m to a server by a model provider terminal;
s102, the server converts the deep learning model m into a deep learning model m' supported by a deep learning calculation framework in the SGX by using a model import module;
s103, the server places the deep learning model m' in a deep learning model library PoolmodelAnd updating the model index of the deep learning model library.
4. The SGX-based safe and efficient deep learning model prediction method according to claim 3, wherein the step S2 comprises:
s201, RPC server module prime number p, original root g of the prime number, using public key PK of model user terminalaEncrypting the prime number p and the primitive root g, and sending the encrypted prime number p and the encrypted primitive root g to a model user terminal;
s202, after the model user terminal uses the private key to decrypt and obtain the prime number p and the primitive root g, the random number r is generated1The random number satisfies r is not less than 11P-1 or less, and calculating
Figure FDA0002467671890000031
Then will be
Figure FDA0002467671890000032
Sending to an RPC server module;
s203, the RPC server module generates the random number r by itself2The random number satisfies 1 ≦ r2P-1 and calculating
Figure FDA0002467671890000033
Then will be
Figure FDA0002467671890000034
Sending to a model user terminal;
s204, model user terminal calculation
Figure FDA0002467671890000035
RPC server module computing
Figure FDA0002467671890000036
If Ka=KbThen K is addedaAnd KbRespectively as a communication key between the model user terminal and the RPC server module.
5. The SGX-based safe and efficient deep learning model prediction method according to claim 4, wherein the step S3 comprises:
s301, model user terminal uses private key SKaData x to be predicted and model label tmSigning to obtain signature signxI.e. by
Figure FDA0002467671890000037
S302, model user terminal utilizes communication key KaSigning and encrypting data to be predicted to obtain a ciphertext c, namely
Figure FDA0002467671890000038
And sends the ciphertext to the RPC server module.
6. The SGX-based safe and efficient deep learning model prediction method according to claim 5, wherein the step S4 comprises:
s401, RPC server module uses communication key KbDecrypt the ciphertext c, i.e.
Figure FDA0002467671890000039
If the decryption is successful, go to step S402; otherwise, returning error information;
s402, the RPC server module obtains a decryption result (x | | t)m||signx) And use the public key PKaVerifying signature signx(ii) a If the verification is passed, executing step S403; otherwise, returning error information;
s403, RPC server module labels t according to the modelmAnd indexing a deep learning model m ' from a deep learning model library, loading the deep learning model m ' into a GPU video memory and an SGX memory, and taking a decryption result x as the input of the deep learning model m '.
7. The SGX-based safe and efficient deep learning model prediction method of claim 6, wherein the steps S5 and S6 comprise:
s601, RPC server module in SGX first from the domain
Figure FDA0002467671890000041
In the selection of a random number riAnd according to the weight matrix WiAnd bias biCalculating a random number riCorresponding linear calculation result uiI.e. ui=Wiri,uiAs a mask; wherein for the ith layer linear operation needing to be outsourced to GPU operation, the weight is mi×niMatrix W ofiOffset is bi
S602, RPC server module is data x needing linear calculationiPlus a mask uiTo obtain
Figure FDA0002467671890000042
Namely, it is
Figure FDA0002467671890000043
And will be
Figure FDA0002467671890000044
Sending the data to a GPU acceleration module;
s603, GPU acceleration module pair
Figure FDA0002467671890000045
Perform linear operations, i.e.
Figure FDA0002467671890000046
And will be
Figure FDA0002467671890000047
Sending to an RPC server module;
s604, RPC server module will
Figure FDA0002467671890000048
Subtracting the mask uiObtaining a calculation result yiI.e. yi=Wixi+biThe deep learning model will use yiContinuing to perform the next operation; steps S601 to S604 are repeated until the deep learning model prediction process ends.
8. The SGX-based safe and efficient deep learning model prediction method of claim 7, wherein the step S7 comprises:
s701, RPC server module utilizes private key SKbSigning the prediction result p to obtain a signature signpI.e. by
Figure FDA0002467671890000049
S702, RPC server module utilizes communication key KbFor the predicted result p and the signature signpEncrypting to obtain ciphertext cpI.e. by
Figure FDA00024676718900000410
And c ispSending the data to a model user terminal;
s703, model user terminal uses communication key KaFor ciphertext cpDecrypting to obtain (p | | | signp) Public key PK using RPC server modulebVerifying signature signpAnd ensuring the integrity of the result, and if the verification is successful, indicating that the prediction result is correct.
CN202010338636.2A 2020-04-26 2020-04-26 SGX-based safe and efficient deep learning model prediction system and method Active CN111582496B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010338636.2A CN111582496B (en) 2020-04-26 2020-04-26 SGX-based safe and efficient deep learning model prediction system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010338636.2A CN111582496B (en) 2020-04-26 2020-04-26 SGX-based safe and efficient deep learning model prediction system and method

Publications (2)

Publication Number Publication Date
CN111582496A true CN111582496A (en) 2020-08-25
CN111582496B CN111582496B (en) 2023-05-30

Family

ID=72120648

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010338636.2A Active CN111582496B (en) 2020-04-26 2020-04-26 SGX-based safe and efficient deep learning model prediction system and method

Country Status (1)

Country Link
CN (1) CN111582496B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112528299A (en) * 2020-12-04 2021-03-19 电子科技大学 Deep neural network model safety protection method in industrial application scene
CN113591098A (en) * 2021-06-11 2021-11-02 浙江大学 Remote secure heterogeneous computing method and system based on SGX
CN115543587A (en) * 2022-11-29 2022-12-30 暨南大学 Service life driven OpenCL application scheduling method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107066791A (en) * 2016-12-19 2017-08-18 银江股份有限公司 A kind of aided disease diagnosis method based on patient's assay
CN108712260A (en) * 2018-05-09 2018-10-26 曲阜师范大学 The multi-party deep learning of privacy is protected to calculate Proxy Method under cloud environment
CN109308418A (en) * 2017-07-28 2019-02-05 阿里巴巴集团控股有限公司 A kind of model training method and device based on shared data
CN109684855A (en) * 2018-12-17 2019-04-26 电子科技大学 A kind of combined depth learning training method based on secret protection technology

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107066791A (en) * 2016-12-19 2017-08-18 银江股份有限公司 A kind of aided disease diagnosis method based on patient's assay
CN109308418A (en) * 2017-07-28 2019-02-05 阿里巴巴集团控股有限公司 A kind of model training method and device based on shared data
CN108712260A (en) * 2018-05-09 2018-10-26 曲阜师范大学 The multi-party deep learning of privacy is protected to calculate Proxy Method under cloud environment
CN109684855A (en) * 2018-12-17 2019-04-26 电子科技大学 A kind of combined depth learning training method based on secret protection technology

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112528299A (en) * 2020-12-04 2021-03-19 电子科技大学 Deep neural network model safety protection method in industrial application scene
CN112528299B (en) * 2020-12-04 2022-03-04 电子科技大学 Deep neural network model safety protection method in industrial application scene
CN113591098A (en) * 2021-06-11 2021-11-02 浙江大学 Remote secure heterogeneous computing method and system based on SGX
CN113591098B (en) * 2021-06-11 2024-03-26 浙江大学 SGX-based remote secure heterogeneous computing method and system
CN115543587A (en) * 2022-11-29 2022-12-30 暨南大学 Service life driven OpenCL application scheduling method and system
CN115543587B (en) * 2022-11-29 2023-03-07 暨南大学 Service life driven OpenCL application scheduling method and system

Also Published As

Publication number Publication date
CN111582496B (en) 2023-05-30

Similar Documents

Publication Publication Date Title
US10944751B2 (en) Generating cryptographic function parameters from compact source code
CN110363030A (en) For executing the method and processing equipment of the Password Operations based on lattice
CN111582496B (en) SGX-based safe and efficient deep learning model prediction system and method
US11316665B2 (en) Generating cryptographic function parameters based on an observed astronomical event
US20100115260A1 (en) Universal secure token for obfuscation and tamper resistance
CN111901111B (en) SM9 key generation method, device and system and readable storage medium
CN111131278A (en) Data processing method and device, computer storage medium and electronic equipment
US10079675B2 (en) Generating cryptographic function parameters from a puzzle
US11902432B2 (en) System and method to optimize generation of coprime numbers in cryptographic applications
WO2015008607A1 (en) Decoding device, decoding ability providing device, method thereof, and program
CN116170131B (en) Ciphertext processing method, ciphertext processing device, storage medium and trusted execution device
CN113055153A (en) Data encryption method, system and medium based on fully homomorphic encryption algorithm
US20230141210A1 (en) Neural networks
CN111314051B (en) Encryption and decryption method and device
CN115460020B (en) Data sharing method, device, equipment and storage medium
KOTEL et al. A Data Security Algorithm for the Cloud Computing based on Elliptic Curve Functions and Sha3 Signature
Eshghi et al. Security Enhancement of Wireless Sensor Networks: A Hybrid Efficient Encryption Algorithm Approach
JP6267657B2 (en) Safety enhancement method, safety enhancement system, safety enhancement device, verification device, and program
CN116614275B (en) Method for entrusting acceleration of privacy computing integrated machine
CN114726543B (en) Key chain generation and message sending and receiving methods and devices based on message chain
US8295480B1 (en) Uncertainty-based key agreement protocol
CN118174967A (en) Information verification method and related equipment
CN118249992A (en) White-box disciplinable inner product function encryption method and system
CN117395034A (en) Block chain user privacy protection method based on trusted computing
Wan et al. ACMHS: Efficient access control for mobile health care system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant